Solved: Re: Extracting and Compare Folder Path From CSV

ramuzzini · ‎09-05-2024

Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure on a network using data from a CSV source. Inside csv, I am evaluating two specific fields used:

Source_Directory and Destination_Directory

I am trying to compare the two going 3 folders deep in the file path but running into issue when performing my rex command. Preset folder structure is: "\\my.local\d\p\" pulled from the data set used. Within the folder "\p\", there are various folder names. Need to eval if a folder path is different beyond the preset path of "\\my.local\d\p\..." I put in bold what a discrepancy would if there is one.

Example data in CSV:
Source_Directory Destination_Directory
\\my.local\d\p\prg1\folder1\bfolder \\my.local\d\p\prg1\folder1\ffolder
\\my.local\d\p\prg2\folder1 \\my.local\d\p\prg2\folder2
\\my.local\d\p\prg1\folder2 \\my.local\d\p\prg2\folder1\xfolder\mfolder\
\\my.local\d\p\prg3\folder2\afolder \\my.local\d\p\prg3\folder2
\\my.local\d\p\prg2\folder1 \\my.local\d\p\prg1\folder3

Output query I am trying to create
  Status Source_Directory Destination_Directory
Same \\my.local\d\p\prg1\folder1\bfolder \\my.local\d\p\prg1\folder1\ffolder
Same \\my.local\d\p\prg2\folder1 \\my.local\d\p\prg2\folder2
Different   \\my.local\d\p\prg1\folder2 \\my.local\d\p\prg2\folder1\xfolder\mfolder\
Same \\my.local\d\p\prg3\folder2\afolder \\my.local\d\p\prg3\folder2
Different   \\my.local\d\p\prg2\folder1 \\my.local\d\p\prg1\folder3

If folder name is different after the preset"\\my.local\d\p\" path I need that to show in the "Status" output. I have searched extensively on how to use this rex command in this instance with no luck so thought I would post my issue. Here is the search I have been trying to use.

Splunk Search

 host="my.local"  source="file_source.csv"  sourcetype="csv"
| eval src_dir = Source_Directory
| eval des_dir = Destination_Directory
| rex src_path = src_dir "(?<path>.*)\\\\\w*\.\w+$"
| rex des_path= des_dir "(?<path>.*)\\\\\w*\.\w+$"
| eval status = if (src_path = des_path, "Same", "Diffrent")
| table  status, Source_Directory, Destination_Directory

Any assistance would be much appreciated.

ITWhisperer · ‎09-05-2024

host="my.local"  source="file_source.csv"  sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table  status, Source_Directory, Destination_Directory

View solution in original post

ramuzzini · ‎09-05-2024

Thank you. Was going about that all backwards.

ITWhisperer · ‎09-05-2024

host="my.local"  source="file_source.csv"  sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table  status, Source_Directory, Destination_Directory

Extracting and Compare Folder Path From CSV

eval

field extraction

rex

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?